Replies

If you reboot the 3005 the the 806 is still going to think the tunnel is up and will keep sending data over that tunnel. The 3005 will complain and say I'm receiving encrypted packets with a SPI that I don't have. You should be able to resolve this by clearing the tunnel on the 806 with "clear cry sa" and "clear cry isa", you shouldn't have to reboot the 806 (all this is really doing is clearing the tunnel anyway).

As for why the 806 sometimes doesn't call in, not sure. Is there any way you can get any crypto debugs when it's not working to see what it's doing? that might be the only way to tell. I presume you're using 12.2(8)YJ (EzVPN Phase II) code and you have the "connect auto" command in the 806 config, is that correct? If not, then it'll take traffic from behind the 806 to re-initiate the tunnel after it times out.